Score:1

Security proof for TLS 1.x

eg flag

In JKSS12, a proof for the handshake in TLS-DHE 1.2 is given, assuming (among other things) the PRF-ODH hypothesis on the PRF used to derive keys.

It is also stated that, if TLS 1.2 was to be modified to follow more closely the $\Sigma_0$ protocol from Canetti-Krawczyk; this protocol could be provably secure under a (weaker) DDH assumption instead of the PRF-ODH assumption (as it is the case for IKE protocol). This modification seems fairly straightforward, even though impossible to deploy at the time of this publication.

More recently, concerning TLS 1.3, existing proofs are still under the PRF-ODH hypothesis (see for example this Thesis from Dowling, p153).

What was the rationale behind TLS 1.3 and why a move towards $\Sigma_0$-like protocols has not been made, as suggested in JKSS12 ? A DDH hypothesis seeming more satisfying than a (stronger) PRF-ODH assumption, even if only for "security common ground" between TLS and IKE. My interest is mainly regarding TLS with ephemeral DH.

Thom Wiggers avatar
cn flag
You may be interested in https://eprint.iacr.org/2021/844
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.